We are at an inflection point, a critical time when it comes to election innovation. In the wake of a tense presidential election, credibility of experts and trust in technology is being questioned in unprecedented ways. There’s much at stake. We have the opportunity to expand access and fundamentally transform our voting system so that everybody can easily and safely have access to a ballot.
However, misinformation about this sensitive industry abounds, compounding on each other. The false stories you read about voting companies are not new. It’s been years in the making. The responsibility of setting the record straight has shifted to companies. It's not a role we expected to play, but one we take seriously. Before you conclude that a story you’ve read about Voatz is gospel, please take the time to read this.
These contain blatantly false accusations that are harmful to the mission of giving all citizens a ballot. We’ve reached a dangerous point where there’s a true risk of putting a halt to progress. Mission oriented companies like ours are instead placed under suspicion and targeted via coordinated media attacks to create fear and drown the ability to innovate or collaborate.
Voatz welcomes skepticism. We know we can and must improve, and we invite people in the field to find areas where we can improve. We pioneered public bug bounty programs in the elections industry, and offer full and transparent audits for every vote cast in every election we’ve run. These efforts have improved our product. We’ll never stop improving.
But we need to set the record straight about our mission, our practices, and our relationships. The goal is to provide a deeper understanding of the election technology space and to provide common ground to move forward. We need a shared space to close gaps in an election system that sorely needs transformation. Vulnerable voters deserve no less.
Click on a section below to learn more. expand all
False: Voatz hopes to replace all voting with internet voting.
Truth: Voatz’ mission is expanding access to ballots.
Voatz is developing its platform as an additional option for those who more traditional voting methods are not readily accessible. This includes deployed military personnel, citizens living overseas, first responders and voters living with disabilities. During a pandemic or natural disaster-type situation, mobile voting could provide a resilient third or fourth option.
False: Voatz wants to move too fast and break things.
Truth: Voatz advocates for purposeful pilots.
We advocate for the purposeful, responsible roll out of Internet voting platforms. There’s too much at stake to do otherwise. We developed our platform for three years before we ever tried to debut it in governmental election pilots. We want to work within the existing system - not outside of it. Our work is guided by forward-looking election officials who have dedicated their careers to promoting accessible voting.
Voatz is using the pilots to conduct field studies on real-world threats on the ground, including network, device, and application type-vulnerabilities.
False: There is no paper trail.
Truth: Every ballot marked using the Voatz applications produces a fully tabulatable paper ballot printed at the jurisdiction.
False: Voatz does not allow you to audit votes.
Truth: Voatz is the only platform that allows 100% auditability.
Audits are one of the main features of the Voatz platform. Voatz pioneered citizens audits. While still in pilot stages, mobile voting has been able to offer voter ballot confirmation and 100% auditability.
Votes cast on the Voatz app can be audited at three points:
This brief video explains the process.
Citizen’s audit #1: Post-election Audit (Denver County, CO)
Citizen’s audit #2: Post-election Audit (Utah County, UT)
Citizen’s audit #3: Post-Election Audit, Utah GOP State Party
- By the voter after the ballot has been cast.
- By the election official using the anonymous receipts and the printed paper ballot.
- By volunteers using an anonymous ID to compare the anonymous voter receipts with the printed paper ballot and the data on the blockchain.
False: It’s settled science that internet voting can never be safe.
Truth: When it comes to science, nothing is ever settled - how can we believe otherwise?
False: Voatz doesn’t like researchers.
Truth: Voatz has worked with numerous researchers and academics over the years.
- Voatz values collaborative research - we would not exist otherwise.
- We believe in open and transparent collaboration. We all share a mission of a secure platform.
- We invite all who are curious about the platform and seek to increase security in the elections industry to engage with us. More information about that is here.
- Voatz was the first elections company to launch a public bug bounty program in r2018 to foster collaborative security research and testing.
False: Voatz went after student researchers at the University of Michigan during the 2018 West Virginia election.
Truth: We did no such thing. Voatz reported a failed attempt to breach its system to its client - the West Virginia Secretary of State’s Office.
Voatz did not report anyone to the FBI as falsely reported by CNN and repeated by multiple media outlets. It would be an absolute breach of client trust if Voatz had omitted any attempt to breach its platform in its reporting to its client.
Think about it - would you prefer that an elections company made the decision to not report an attempt? Even entertaining this idea would be irresponsible and reckless, to our clients and to the public.
As stewards of critical infrastructure, representatives of West Virginia called upon the US Attorney's Office and held a press conference to issue their report on the attack, which reflected a system that was successful in warding off attempted entry. Voatz was not involved in any decision making around this investigation at all.
- Voatz has a responsibility to report any unusual activity that happens during an engagement with a client.
- Voatz did not independently contact law enforcement or any additional authority.
- Click here for a detailed look at the West Virginia pilot and timeline.
- Direct evidence from the security report provided to West Virginia in 2018 (provided here with permission from the client with the explicit purpose to set the record straight).
False: Security researchers fear legal ramifications from Voatz if they tried to study the platform.
Truth: Voatz has not sued or been sued by anyone.
Voatz's only interaction with the courts has been to submit an amicus brief in an effort to correct the misinformation about the failed attempt to breach the West Virginia pilot. In fact, most critics who’ve been vocal about Voatz have bigger platforms and megaphones than Voatz, reinforcing false narratives, despite our best efforts to set the record straight.
False: Voatz was kicked off HackerOne.
Truth: Because of public pressure from a small group of critics HackerOne and Voatz mutually agreed to pause the program.
Some critics believed Voatz wronged the community by simply recording the failed attempts by the students of University of Michigan during the West Virginia pilot. This is a textbook case of small lies building into bigger ones. At the time when we detected, blocked and reported the failed attempt to our client, we were not aware of any intent by individuals to conduct research on our platform. They did not sign up to participate in the bug bounty program.
In the absence of any prior indication and given that it was a live election, Voatz acted ethically and reported the failed attempt to its clients.
False: Voatz made retroactive changes to its bug bounty program to hurt researchers.
Truth: No such retroactive change was done. Updates to the program at the end of each testing cycle are a normal industry standard.
As product features evolve over the course of time, it is quite normal to revise the scope and goals of such programs. We’ve accordingly updated the scope of our bug bounty programs after each testing cycle. There has been no retroactive rule-changing of any sort.
The change log is displayed below and nowhere does the word retroactive appear. Our previous policy clearly included TestFlight and PlayBeta instructions:
The change coincided with the launch of the cycle 3 of our testing. Such updates are normal as products evolve. Moreover the above change occurred 1 year after the WV incident so there was no connection between the two events.
Active attempts to discredit our program were made, including threats to other researchers and H1 (HackerOne).
Voatz believed that the program would be much more successful as an in-house effort, built on the standards of much larger tech companies like Apple and Google.
False: Voatz is not transparent.
Truth: Voatz is pioneering what it means to be transparent in the election space.
- In 2018, Voatz became the first elections company in the world to launch a public bug bounty program to facilitate ongoing threat detection for its upcoming product releases. Anyone can test the Voatz platform via our public bug bounty program.
- We engage multiple independent third parties to conduct assessments - which are published on our website, with proprietary patent information redacted.
- We voluntarily engaged with the Department of Homeland Security (DHS) and one of the leading federal testing labs in the nation to review our infrastructure and the technologies deployed in our pilots.
- We also employ industry standard tools/services for pen testing and SSL testing.
False: MIT researchers found multiple vulnerabilities in the Voatz system.
Truth: Their claims were summarily debunked in our technical paper.
You can read the full details of the technical paper here.
Truth: Voatz has not had a single successful hack or breach in any of its pilot programs.
You can read a security paper that details threats in the field and the Voatz remote voting system defense capabilities while conducting remote elections.
Truth: We need standards to build accountability and move the industry forward.
- We need to find a path forward, a common language for all stakeholders to work together toward a common goal: ensuring that all voters can vote and that our elections are safe.
- We’ve pushed for standards through the National Association of Secretaries of State (NASS): In January 2021, we highlighted the urgency for these standards to include the experience of running elections in a pandemic. We also seek to learn from election officials who pulled off a successful election despite all odds: Looking to the Future: A Renewed Call for Standards and Transparency for Access and Resiliency.
- This year’s advocacy was built on our case from last year to create comprehensive Standardization of Remote Ballot Marking & Return Through a Rigorous National Study & Examination.
- Any study should consider if these apps can take full advantage of the security features of the platform, while being able to verify the voter, secure their markings of the ballot, encrypt & guarantee the return of the marked ballot all while assuring the anonymity of the voter.
Truth: Our record speaks for itself. We offer a new option for voters, with record participation and no incidents.
- 126 successful elections (as of June 2023)
- 6 countries
- 9 US states
- 15 Canadian cities/towns
- 2.3+ million voters served
- Zero successful security incidents
- Multiple civic tech and innovation awards